Hybrid Fuzzing with LLM-Guided Input Mutation and Semantic Feedback

TL;DR

This paper introduces a hybrid fuzzing framework that combines static and dynamic analysis with Large Language Model-guided input mutation and semantic feedback, leading to faster and more diverse vulnerability discovery.

Contribution

It presents a novel approach integrating LLMs with semantic feedback in fuzzing, improving efficiency and depth of vulnerability detection over existing methods.

Findings

Faster time-to-first-bug compared to state-of-the-art fuzzers

Higher semantic diversity in generated inputs

Competitive number of unique bugs discovered

Abstract

Software fuzzing has become a cornerstone in automated vulnerability discovery, yet existing mutation strategies often lack semantic awareness, leading to redundant test cases and slow exploration of deep program states. In this work, I present a hybrid fuzzing framework that integrates static and dynamic analysis with Large Language Model (LLM)-guided input mutation and semantic feedback. Static analysis extracts control-flow and data-flow information, which is transformed into structured prompts for the LLM to generate syntactically valid and semantically diverse inputs. During execution, I augment traditional coverage-based feedback with semantic feedback signals-derived from program state changes, exception types, and output semantics-allowing the fuzzer to prioritize inputs that trigger novel program behaviors beyond mere code coverage. I implement our approach atop AFL++, combining program instrumentation with embedding-based semantic similarity metrics to guide seed selection. Evaluation on real-world open-source targets, including libpng, tcpdump, and sqlite, demonstrates that our method achieves faster time-to-first-bug, higher semantic diversity, and a competitive number of unique bugs compared to state-of-the-art fuzzers. This work highlights the potential of combining LLM reasoning with semantic-aware feedback to accelerate and deepen vulnerability discovery.